Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755625Ab1FZWDg (ORCPT ); Sun, 26 Jun 2011 18:03:36 -0400 Received: from mx2.mail.elte.hu ([157.181.151.9]:44097 "EHLO mx2.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755505Ab1FZWBx (ORCPT ); Sun, 26 Jun 2011 18:01:53 -0400 Date: Mon, 27 Jun 2011 00:01:26 +0200 From: Ingo Molnar To: Vasiliy Kulikov Cc: Andrew Morton , James Morris , Namhyung Kim , Greg Kroah-Hartman , kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alan Cox , Linus Torvalds Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk() Message-ID: <20110626220126.GA24004@elte.hu> References: <20110623152137.GA2536@albatros> <20110626103915.GB11093@elte.hu> <20110626165409.GA2584@albatros> <20110626182628.GA20158@elte.hu> <20110626190622.GB4217@albatros> <20110626194618.GA21740@elte.hu> <20110626202518.GA4915@albatros> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110626202518.GA4915@albatros> User-Agent: Mutt/1.5.20 (2009-08-17) X-ELTE-SpamScore: -2.0 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-2.0 required=5.9 tests=BAYES_00 autolearn=no SpamAssassin version=3.3.1 -2.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4138 Lines: 100 * Vasiliy Kulikov wrote: > On Sun, Jun 26, 2011 at 21:46 +0200, Ingo Molnar wrote: > > > > > > Also, i think it would be better to make this opt-out, i.e. > > > > > > exclude the handful of control characters that are harmful > > > > > > (such as backline and console escape), instead of trying to > > > > > > include the known-useful ones. > > > > > > > > > > Do you see any issue with the check above? > > > > > > > > There were clear problems with the first version you posted and > > > > that's enough proof to request the exclusion of known-dangerous > > > > characters instead of including known-useful characters. > > > > > > It doesn't proof anything. If I/someone else did a mistake with > > > blacklisting would you say it is enough proof to request the > > > inclusion of well-known allowed characters? > > > > No, because the problems such a mistake causes are not equivalent: it > > would have been far more harmful to not print out the *very real* > > product names written in some non-US language than to accidentally > > include some control character you did not think of. > > ??? > > Not "not print", but print in "crypted" form. The information is > still not lost, you can obviously restore it to the original form, > with some effort, but possible. Compare it with the harm of log > spoofing - it is not "restorable". The harm of 'potential' log spoofing affecting exactly zero known users right now, versus the harm of obfuscating the output for a known space of USB devices that print in non-US characters, at minimum. > > > > A black list is well-defined: it disables the display of > > > > certain characters because they are *known to be dangerous*. > > > > > > What do you do with dangerous characters that are *not yet known* > > > to be dangerous? > > > > I'm ready to act on facts only. > > The *fact* is you/anybody/everybody might not know all bad things. > If you just don't care because it is yet unknown then you will be > vulnerable as soon as it disclosured. Erm, do you claim that it's not possible to know which characters are dangerous and which ones not? > > Also, i really prefer the policy of acting on known dangers > > instead of being afraid of the unknown. > > Do you know the principle "Attacks always get better, never worse"? > If you are protected against only of known attack, you will be > vulnerable to *every* danger not known to you. > > Maybe you don't know, but it is really possible to be protected > against some *yet unknown* attack techniques. (The assessment of > what attacks it protects against is undefined too, though.) And > upstream Linux is *already* protected against some *yet unknown* > bugs, not the whole bug classes, but at least small kinds of it. This claim is silly - do you claim some 'unknown bug' in the ASCII printout space? Cannot you be bothered to enumerate the known 'bad' control and escape characters? You *clearly* did not consider the full utility spectrum in the first version of the patch so i think it's necessary due diligence on our part to ask you to be more thoughtful with this ... > > > > A white list on the other hand does it the wrong way around: > > > > it tries to put the 'burden of proof' on the useful, good > > > > guys - and that's counter-productive really. > > > > > > Really? I think strict API definition is productive, unlike > > > using it in cases where it looks like working, but creating > > > tricky and obscure bugs. > > > > You werent really creating a well-defined API here, were you? > > No, I was - only ascii chars and \n are allowed. In v2 all ascii > chars, the upper charset and 2 control chars are allowed. Rather > clear, IMO. Please enumerate the space you excluded and the reason for exclusion. Terminals are not some unknown and unknowable space. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/